Vista Security Discussions Get a Rocky Start

narramissic writes "A technical glitch Thursday morning prevented many security vendors from participating in the first online discussion regarding Microsoft's plans for opening up the Vista kernel, ITworld reports. In a blog posting on the subject, Microsoft Senior Product Manager Stephen Toulouse wrote, 'We had a glitch where we sent out a messed up link. ... We're very sorry about that, it certainly was not intentional and we definitely see that was not a good thing for people to experience on such an important topic.'"

Extra! Extra!

Microsoft employee sends an email with an incorrect URL in it! Collapse of Micrsoft predicted! End of the world is nigh! Extra, Extra, read all about it!

Slashdot has just sunk to a new low of pointlessness in their "articles". Urgh.

Re:Extra! Extra!

[PreacherTom]

Oh, come on. This is the definition of amusing irony.

Re:Extra! Extra!

[Overly+Critical+Guy]

Slashdot has just sunk to a new low of pointlessness in their "articles". Urgh.

No, they haven't, though it's amusing to see Microsoft employees posting anonymously now to defend the homeland.

It's a big deal that Microsoft apparently doesn't vet its own URLs before sending them out to third-parties, especially for such an important set of interoperability discussions. The guy didn't even check the link before he sent it out? It's a competence thing (lack thereof). These things just seem to happen with Microsoft, don't they?

More eyes is a good thing

[BadAnalogyGuy]

While it seems more a move to placate a rabid EU, this move is actually pretty good for all users.

First, not all users will get the APIs. In fact, only a tiny fraction of users, all of whom work at security and anti-virus companies, will get to see these opened APIs. Why then is it good news?

It's good because it brings into the fold those most able to spot security issues. Despite Microsoft's money and the experience of their top engineers, they all have tunnel-vision when it comes to Windows. And it's not hard to see why, after all, it's their baby. So even though they've got top security people working for them looking deeply into these issues, the very nature of those engineers' employment makes it difficult to see some of the problems that an outside observer would be able to spot easily.

By turning the baby over to the wolves, so to speak, Microsoft is getting Vista tested by the best testing teams around. The OSS motto is "more eyes makes all bugs shallow", I look forward to that same principle working well here.

Re:More eyes is a good thing

[arth1]

First, not all users will get the APIs. In fact, only a tiny fraction of users, all of whom work at security and anti-virus companies, will get to see these opened APIs. Why then is it good news?

It's good because it brings into the fold those most able to spot security issues.

Why do you think those who work at security and AV companies are those most able to spot security issues?
I won't mention names, but some fairly well-known "security and AV companies" have made their business on buying up other companies products, redoing the interface every year so they can demand people pay for a new version, and dumbing the app down by removing functionality whenever something breaks, because they don't have people smart enough to fix things. Outsourced $10/hr drag-and-drop "programmers" will only get you so far, and expecting them to possess intuition, assembly language skills, or a love for discovering what a function can be pushed into doing is expecting far too much.

Also remember that security and AV companies don't want security -- if their products actually fixed security holes, they would put themselves out of business. They want their products to temporarily block attempts, nothing more.
Gurus, on the other hand, work to get the problems fixed, permanently, and the people who made the mistakes aware of what they did, and just why it was bad, so they don't repeat it.

Regards,
--
*Art

Move along....nothing to see here.

[N8F8]

To err is human.

"...we sent out a messed up link..."

[Browzer]

Like it never happened to anybody!

This is beyond bashing, this is being anal.

Re:Symantec was one of the vendors shut out

Symantec and Microsoft have a long history of a love/hate relationship and Microsoft has put more and more things into its operating system products that have closed entire markets for Symantec (and it's predecessors).

What's your point? That's the nature of the "work around defects in the operating system" market. Eventually, even Microsoft fixes them, and you don't have a market anymore. I hate Microsoft, and I still can't blame them for this. It's not like they're the first vendor to include, say, a filesystem that doesn't require constant defragmentation, or a stateful firewall.

"Accidents" happen... all too frequently

[dpbsmith]

I certainly don't think this is a case of "accidentally-on-purpose." But I do think it is a symptom of a endemic problem in the PC industry, which is lack of attention to usability because computer people are intolerant of human fallibility. Even though they exhibit just as much human fallibility as anyone else, when they encounter a technical glitch they are reluctant to blame the design of the system.

Sure, "everyone has glitches from time to time," but when people at Microsoft can't get an important web meeting to work it suggests that there's something flawed about this "all-net-all-the-time" vision they've been touting for more than five years.

Computer technology reached a peak of usability in the early 1990s, when PC vendors still felt that they had to make things easy to use (and supply real support) in order to secure adoption. Once everyone was locked in--not so much to Microsoft, but to PC technology in general--usability was allowed to deteriorate.

The pretense that unreliable, hard-to-use unfinished technology is ready for release is so imbued into Microsoft's culture that Microsoft managers are evidently willing to use unreliable, hard-to-use, unfinished technology to conduct important Microsoft public business.

Stepto should _not_ blame "us" for the "glitch" and apologize. Instead, they should take a long hard look at what it was about the technology they were using that made it easy to "send out a messed-up link."

Re:What a relief!

[bberens]

Oh please, get over yourself. Someone made a typo on a firewall rule or an e-mail and you go on some huge rant about how MS sucks and consumers everywhere should stop buying their products. It's not a religion, it's a tool. MS has some of the best tools available on the market for some tasks. Other companies like Apple, IBM, Sun, etc. have better tools for some tasks. When you try to convince people to alter the MS intertia by ranting over this insignificant thing then you give the 'other' camp a bad name. And it doesn't matter whether you're an Apple fanboy, linux fanboy, or just anti-MS. There's two main categories in most of the business world: MS and other. You give other a bad name.

God changes human not to be susceptible to disease

[dascandy]

News headline: God has changed the human being structure to not be susceptible to disease anymore. Antibiotic firms complain, consider it unfair competition.

(the point: if you're a parasite company that's living off anothers companies flaws, bugs and holes, don't complain about the cure)

Re:Oh the irony

[spun]

It's not some randome 1962 operation. Let's look at what was specifically proposed:

• Starting rumors about Cuba by using clandestine radios.
• Staging mock attacks, sabotages and riots at Guantanamo Bay and blaming it on Cuban forces.
• Firebombing and sinking an American ship at the Guantanamo Bay American military base -- reminiscent of the USS Maine incident at Havana in 1898, which started the Spanish-American War -- or destroy American aircraft and blame it on Cuban forces. (The document's first suggestion regarding the sinking of a U.S. ship is to blow up a manned ship and hence would result in U.S. Navy members being killed, with a secondary suggestion of possibly using unmanned drones and fake funerals instead.)
• "Harassment of civil air, attacks on surface shipping and destruction of US military drone aircraft by MIG type sic planes would be useful as complementary actions."
• Destroying an unmanned drone masquerading as a commercial aircraft supposedly full of "college students off on a holiday". This proposal was the one supported by the Joint Chiefs of Staff.
• Staging a "terror campaign", including the "real or simulated" sinking of Cuban refugees
• "We could develop a Communist Cuban terror campaign in the Miami area, in other Florida cities and even in Washington. The terror campaign could be pointed at Cuban refugees seeking haven in the United States. We could sink a boatload of Cubans enroute sic to Florida (real or simulated). We could foster attempts on lives of Cuban refugees in the United States even to the extent of wounding in instances to be widely publicized."
• Burning crops by dropping incendiary devices in Haiti, Dominican Republic or elsewhere.

It was a false flag operation. It was reported that the only reason it wasn't carried out was that Kennedy rejected the plan. I'm not saying 9/11 was a false flag operation, but you have to be wearing blinders not to see the similarities between this actual, documented, nearly implemented plan and what the conspiracy theorists allege about 9/11. If the US government nearly did it once, isn't it possible that, under a more hawkish president, we might actually have done what the conspiracies allege?

Re:World without reporters

[sulfur_lad]

You're taking me a bit literally and out of context, let me clarify. A world without the 'reporters' that I'm talking about would be good. We definitely need journalists, or people who legitimately report on world affairs in an unbiased neutral "here's what happened" form. We don't need tabloid media. Reading CNN's RSS vs CBC's is incredible (and the CBC is not the least biased medium out there either).

As for the congressman and pages, that thread follows my argument completely: A lot of the 'reports' you see about it are nothing but hearsay and spin (just what I expect from Fox News and / or CNN). A 'report' would be that the congressman in fact did this, the page is safe and sound, and that the republican party disapproves and are investigating while suspending the congressman's membership (hypothetical example). A 'report' is not speculation on what this will do to the Republican party's chances in terms of votes or what Dohickey McGregor thinks about the mother of the page putting him in harm's way or whatever other useless experts and theorists they dig up. That is a spin on the real story. Jon Stewart provides better impartial views and more honest analysis than the spinners do, and he is a self-professed gag-media outlet. "fake news."

The Iraq war falls into the same category: the media has us so confused with a constant barrage of "here's the real story," that nobody knows what to think. I don't even know if they know what they're saying in the first place! It's pretty much "if we say Bush is under fire and Iraq is difficult, we'll sell more ads."

This MS thing was not even news, that is my point about reporters and PR.